[sudo-users] issue with sudo_ldap
Todd C. Miller
Todd.Miller at courtesan.com
Tue Nov 8 14:37:11 MST 2016
There does appear to be a bug in the host matching where any hosts
found after a negated host would fail to match. I'm not sure that
explains what you are seeing though.
I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106
Below is the same diff based on 1.8.18p1 rather than trunk.
- todd
diff -r abda86e3b777 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c Mon Oct 10 09:10:34 2016 -0600
+++ b/plugins/sudoers/ldap.c Tue Nov 08 14:13:42 2016 -0700
@@ -721,20 +721,21 @@
{
struct berval **bv, **p;
char *val;
- bool ret = false;
- bool foundbang = false;
+ int matched = UNSPEC;
debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
if (!entry)
- debug_return_bool(ret);
+ debug_return_bool(false);
/* get the values from the entry */
bv = ldap_get_values_len(ld, entry, "sudoHost");
if (bv == NULL)
- debug_return_bool(ret);
+ debug_return_bool(false);
/* walk through values */
- for (p = bv; *p != NULL && !foundbang; p++) {
+ for (p = bv; *p != NULL && matched != false; p++) {
+ bool foundbang = false;
+
val = (*p)->bv_val;
if (*val == '!') {
@@ -746,14 +747,17 @@
if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
netgr_matches(val, user_runhost, user_srunhost,
def_netgroup_tuple ? pw->pw_name : NULL) ||
- hostname_matches(user_srunhost, user_runhost, val))
- ret = !foundbang;
- DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
+ hostname_matches(user_srunhost, user_runhost, val)) {
+
+ matched = foundbang ? false : true;
+ }
+ DPRINTF2("ldap sudoHost '%s' ... %s",
+ val, matched == true ? "MATCH!" : "not");
}
ldap_value_free_len(bv); /* cleanup */
- debug_return_bool(ret);
+ debug_return_bool(matched == true);
}
static int
diff -r abda86e3b777 plugins/sudoers/sssd.c
--- a/plugins/sudoers/sssd.c Mon Oct 10 09:10:34 2016 -0600
+++ b/plugins/sudoers/sssd.c Tue Nov 08 14:13:42 2016 -0700
@@ -741,13 +741,12 @@
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{
char **val_array, *val;
- bool ret = false;
- bool foundbang = false;
+ int matched = UNSPEC;
int i;
debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD);
if (rule == NULL)
- debug_return_bool(ret);
+ debug_return_bool(false);
/* get the values from the rule */
switch (handle->fn_get_values(rule, "sudoHost", &val_array)) {
@@ -758,11 +757,13 @@
debug_return_bool(false);
default:
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
- debug_return_bool(ret);
+ debug_return_bool(false);
}
/* walk through values */
- for (i = 0; val_array[i] != NULL && !foundbang; ++i) {
+ for (i = 0; val_array[i] != NULL && matched != false; ++i) {
+ bool foundbang = false;
+
val = val_array[i];
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
@@ -775,16 +776,18 @@
if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
netgr_matches(val, handle->host, handle->shost,
def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
- hostname_matches(handle->shost, handle->host, val))
- ret = !foundbang;
+ hostname_matches(handle->shost, handle->host, val)) {
- sudo_debug_printf(SUDO_DEBUG_INFO,
- "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
+ matched = foundbang ? false : true;
+ }
+
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s",
+ val, matched == true ? "MATCH!" : "not");
}
handle->fn_free_values(val_array);
- debug_return_bool(ret);
+ debug_return_bool(matched == true);
}
/*
More information about the sudo-users
mailing list